2017’s Notable Vulnerabilities and Exploits

A hacker or cybercriminal’s toolbox would not be complete without vulnerabilities and exploits. They are what social engineering is to fraudsters and scammers. In the first half of 2017, Trend Micro’s Zero Day Initiative discovered and disclosed 382 new vulnerabilities. Zero-days in 2017 increased to 49 from a mere eight the previous year. Any one of these can allow an attacker into a vulnerable system or network, which is why it's important to keep the systems and applications updated (or deploy virtual patching). As this year’s biggest cybersecurity incidents showed, it only takes one weak link to affect millions.

Cloudbleed

Divulged by Google’s Project Zero team in February, Cloudbleed is a security issue in Cloudflare’s proxy services. The bug allowed unauthorized access to sensitive data in the memory of programs run on the internet infrastructure provider’s web servers. These include credentials, website cookies/browsing sessions, Application Program Interface (API) keys, and private messages that search engines like Google’s cached.

Cloudbleed was initially pegged to be the next Heartbleed given the list of potential victims, which includes the likes of Uber, FitBit, and OKCupid. Cloudbleed was reportedly triggered 1.2 million times by more than 6,000 websites. Fortunately, Cloudflare was quick to remedy the issue with a patch and its impact has been minimal so far.

Divulged by Google’s Project Zero team in February, Cloudbleed is a security issue in Cloudflare’s proxy services. The bug allowed unauthorized access to sensitive data in the memory of programs run on the internet infrastructure provider’s web servers. These include credentials, website cookies/browsing sessions, Application Program Interface (API) keys, and private messages that search engines like Google’s cached.

Shadow Broker Exploit Dumps

In 2016, a hacker group named Shadow Brokers put several stolen hacking tools and exploits up for sale, but failed to make a profit. The group incrementally dumped the tools the following year, including the infamous EternalBlue exploit. The trove of leaked tools included more than 20 exploits and 30 information-stealing Trojans.

Among them is DoublePulsar, a backdoor implant that enabled attackers to execute shellcode. It was the initial payload many of the exploits dropped. Among the most notable are EternalRomance, which Petya and Bad Rabbit ransomware also used; and EternalSynergy, a customized version of which was found in Bad Rabbit’s code. Many of the exploits leverage flaws in Windows’ Server Message Block (SMB).

In 2016, a hacker group named Shadow Brokers put several stolen hacking tools and exploits up for sale, but failed to make a profit. The group incrementally dumped the tools the following year, including the infamous EternalBlue exploit. The trove of leaked tools included more than 20 exploits and 30 information-stealing Trojans.

Seven months later, EternalBlue is still alive and kicking. In fact, it remains to be one of the most prevalent exploits detected by Trend Micro sensors, along with EternalChampion (CVE-2017-0147). Despite the notoriety gained during the WannaCry outbreak, EternalBlue still triggered over 515,000 MS17-010-related security events from November 20 to 26.

Number of security events triggered by our sensors related to vulnerabilities patched in MS17-010 (EternalBlue and EternalChampion), from June 26 to December 3, 2017; note these are partial detections from our telemetry

Apache Struts

The open-source framework used for building Java web applications grabbed headlines this year when the attack vector for the Equifax data breach was confirmed to be a vulnerability in Apache Struts. The security flaw (CVE-2017-5638), which was patched last March, allowed attackers to gain unauthorized access to data via remote code execution. The impact was unprecedented, affecting 145 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers.

Intrusion attempts we observed exploiting CVE-2017-5638 from March 15 to November 30, 2017

The Equifax data breach wasn’t just a case of stolen passwords or credit card information. The data involved information that isn't easily replaced when stolen.

Several notable vulnerabilities in Apache Struts were also divulged this year: OptionsBleed (CVE-2017-9798), which can leak sensitive information when exploited; as well as CVE-2017-9805 and CVE-2017-9791 that can enable attackers to execute remote code.

The open-source framework used for building Java web applications grabbed headlines this year when the attack vector for the Equifax data breach was confirmed to be a vulnerability in Apache Struts. The security flaw (CVE-2017-5638), which was patched last March, allowed attackers to gain unauthorized access to data via remote code execution. The impact was unprecedented, affecting 145 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers.

Toast Overlay

At the last Black Hat conference, security researchers presented their findings on a vulnerability (CVE-2017-0752) in the Android mobile operating system. Dubbed Toast Overlay, it can deceive unwitting users into installing malware by superimposing benign images atop malicious apps. Toast Overlay abuses the alerts and notifications features in Android’s Accessibility Service. All versions of Android were susceptible except the latest, Oreo.

Last November, Trend Micro came across several apps in Google Play carrying malware that fully weaponized the Toast Overlay proof of concept: TOASTAMIGO. It downloads and installs another malware, AMIGOCLICKER, which has ad-clicking and persistence capabilities.

At the last Black Hat conference, security researchers presented their findings on a vulnerability (CVE-2017-0752) in the Android mobile operating system. Dubbed Toast Overlay, it can deceive unwitting users into installing malware by superimposing benign images atop malicious apps. Toast Overlay abuses the alerts and notifications features in Android’s Accessibility Service. All versions of Android were susceptible except the latest, Oreo.

BlueBorne

BlueBorne are authentication, authorization, and information disclosure issues. BlueBorne can lead to man-in-the-middle attacks when successfully exploited, letting hackers hijack the Bluetooth-enabled device.

The flaws enable an attacker to sniff, spy on, intercept or divert traffic between vulnerable Bluetooth-enabled devices in order to access their data. BlueBorne reportedly affects as many as 5.3 billion Bluetooth-enabled devices. Vendors accordingly rolled out patches for their platforms.

KRACK

Key Reinstallation Attack (KRACK) is a proof of concept that exploits vulnerabilities in the Wi-Fi Protected Access 2 (WPA2) protocol. KRACK entails flaws in how handshakes (the communication between devices) are authenticated, letting an attacker eavesdrop on the network traffic between the device and Wi-Fi access point.

The researchers disclosed that 41% of Android devices are vulnerable to KRACK. Wi-Fi-enabled systems running Linux, as well as Apple, Windows, OpenBSD, MediaTek, and Linksys devices are also affected. The Wi-Fi Alliance, which developed WPA2, issued an advisory about mitigating KRACK, while vendors such as Microsoft and Android rolled out their own patches.

Key Reinstallation Attack (KRACK) is a proof of concept that exploits vulnerabilities in the Wi-Fi Protected Access 2 (WPA2) protocol. KRACK entails flaws in how handshakes (the communication between devices) are authenticated, letting an attacker eavesdrop on the network traffic between the device and Wi-Fi access point.

Controller Area Network (CAN)

CAN is the network protocol connecting in-vehicle equipment and systems, enabling them to communicate. It’s been the standard in modern cars since it debuted in production vehicles in 1989. A collaborative research from Trend Micro Forward-Looking Threat Research Team, Politecnico di Milano, and Linklayer Labs uncovered a design flaw in CAN—how it handles error messages, to be exact.

Exploiting this flaw can potentially allow an attacker to disable a device connected to the car’s device network—airbag, parking sensors, and safety systems, among others. The U.S.’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released a security advisory and is currently coordinating with vendors and security researchers to identify mitigations.

CAN is the network protocol connecting in-vehicle equipment and systems, enabling them to communicate. It’s been the standard in modern cars since it debuted in production vehicles in 1989. A collaborative research from Trend Micro Forward-Looking Threat Research Team, Politecnico di Milano, and Linklayer Labs uncovered a design flaw in CAN—how it handles error messages, to be exact.

Intel Management Engine

On November 20, Intel released an advisory detailing several flaws in its Management Engine (ME). It’s a feature incorporated in Intel processor chips that lets system administrators remotely manage computers. The vulnerabilities reportedly also affect servers and internet-of-things (IoT) platforms. When successfully exploited, the flaws can provide access to ME and ME-related services, enabling them to execute arbitrary code and cause system crashes.

But there was also another ME-related vulnerability that posed a bigger risk: CVE-2017-5689, nicknamed Silent Bob is Silent. It is a privilege escalation flaw disclosed last May that can let attackers remotely reset or power off the vulnerable machine when exploited. Compared to the recently identified flaws, CVE-2017-5689 has a CVSS v3 score of 9.8. Laptops, desktops, and servers from various vendors were affected, reportedly including those made as long ago as 2008.

On November 20, Intel released an advisory detailing several flaws in its Management Engine (ME). It’s a feature incorporated in Intel processor chips that lets system administrators remotely manage computers. The vulnerabilities reportedly also affect servers and internet-of-things (IoT) platforms. When successfully exploited, the flaws can provide access to ME and ME-related services, enabling them to execute arbitrary code and cause system crashes.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions

2018 MIDYEAR SECURITY ROUNDUP

A review of the first half of 2018 shows a threat landscape that not only has constant and familiar features but also has morphing and uncharted facets: Ever-present threats steadily grew while emerging ones used stealth. View the 2018 Midyear Security Roundup